15 changed files with 240 additions and 242 deletions
--- a/flake.nix
+++ b/flake.nix
@ -15,12 +15,13 @@
  };

  outputs = {
+    self,
    nixpkgs,
    nixos-mailserver,
    agenix,
    ...
  }: let
-    inherit (nixpkgs) lib;
+    lib = nixpkgs.lib;
  in {
    nixosConfigurations = {
      distrust = lib.nixosSystem {
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -1,12 +1,13 @@
 let
  user = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHxah5pnxmk+P7HtwRsryDoAHZsDs5RcGP9IPCNg1KFe cardno:16_179_196";
-  users = [user];
+  users = [ user ];
  
  system = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMKxw1fDsIUUh3vWCD90LDgDMAG/NSVRg7QamUbknz5A root@distrust";
-  systems = [system];
+  systems = [ system ];

  all = users ++ systems;
-in {
+in
+{
  "bind_pw".publicKeys = all;
  "nextcloud-admin-pass".publicKeys = all;
  "vaultwarden.env".publicKeys = all;
--- a/services/akkoma.nix
+++ b/services/akkoma.nix
@ -8,45 +8,43 @@
  onionUrl = "http://n5j5sq55iem2hzbgvkba5vwd5gx5qj2pkb7nxyginbtmnkah74rtulad.onion";
  inherit ((pkgs.formats.elixirConf {}).lib) mkAtom;
 in {
-  services = {
-    akkoma = {
-      enable = true;
-      config = {
-        ":pleroma" = {
-          ":instance" = {
-            name = "social.distrust.network";
-            description = "Akkoma instance for distrust.network users";
-            email = "root@distrust.network";
-            registration_open = false;
-          };
-          ":ldap" = {
-            enabled = true;
-            host = "localhost";
-            port = 3890;
-            ssl = false;
-            tls = false;
-            base = "ou=people,dc=distrust,dc=network";
-            uid = "uid";
-          };
-          "Pleroma.Upload".base_url = "https://social.distrust.network/media/";
-          "Pleroma.Web.Endpoint" = {
-            url.host = "social.distrust.network";
-            http = {
-              ip = "0.0.0.0";
-              port = fediPort;
-            };
-          };
-          "Pleroma.Web.Auth.Authenticator" = mkAtom "Pleroma.Web.Auth.LDAPAuthenticator";
+  services.akkoma = {
+    enable = true;
+    config = {
+      ":pleroma" = {
+        ":instance" = {
+          name = "social.distrust.network";
+          description = "Akkoma instance for distrust.network users";
+          email = "root@distrust.network";
+          registration_open = false;
        };
+        ":ldap" = {
+          enabled = true;
+          host = "localhost";
+          port = 3890;
+          ssl = false;
+          tls = false;
+          base = "ou=people,dc=distrust,dc=network";
+          uid = "uid";
+        };
+        "Pleroma.Upload".base_url = "https://social.distrust.network/media/";
+        "Pleroma.Web.Endpoint" = {
+          url.host = "social.distrust.network";
+          http = {
+            ip = "0.0.0.0";
+            port = fediPort;
+          };
+        };
+        "Pleroma.Web.Auth.Authenticator" = mkAtom "Pleroma.Web.Auth.LDAPAuthenticator";
      };
    };
-
-    caddy.virtualHosts."http://social.distrust.network ${onionUrl}".extraConfig = ''
-      reverse_proxy localhost:${toString fediPort}
-    '';
-
-    tor.relay.onionServices."akkoma".map = [
-      80
-    ];
  };
+
+  services.caddy.virtualHosts."http://social.distrust.network ${onionUrl}".extraConfig = ''
+    reverse_proxy localhost:${toString fediPort}
+  '';
+
+  services.tor.relay.onionServices."akkoma".map = [
+    80
+  ];
 }
--- a/services/dante.nix
+++ b/services/dante.nix
@ -9,6 +9,6 @@
    '';
  };

-  networking.firewall.allowedTCPPorts = [1080];
-  networking.firewall.allowedUDPPorts = [1080];
+  networking.firewall.allowedTCPPorts = [ 1080 ];
+  networking.firewall.allowedUDPPorts = [ 1080 ];
 }
--- a/services/default.nix
+++ b/services/default.nix
@ -7,8 +7,7 @@
    ./akkoma.nix
    ./prosody.nix
    ./lldap.nix
-    # Dante not working right now, possibly misconfigured.
-    #./dante.nix
+    ./dante.nix
    ./vaultwarden.nix
    ./mailserver.nix
  ];
--- a/services/forgejo.nix
+++ b/services/forgejo.nix
@ -2,24 +2,22 @@ let
  forgejoPort = 8082;
  onionUrl = "http://cr27k6asjs7skvjxs6smhqfam3wlvmft2f3iins44k6p6rmmfyolobqd.onion";
 in {
-  services = {
-    forgejo = {
-      enable = true;
-      lfs.enable = false;
-      settings.server = {
-        DOMAIN = "git.distrust.network";
-        HTTP_PORT = forgejoPort;
-        ROOT_URL = "https://git.distrust.network/";
-        SSH_PORT = 292;
-      };
+  services.forgejo = {
+    enable = true;
+    lfs.enable = false;
+    settings.server = {
+      DOMAIN = "git.distrust.network";
+      HTTP_PORT = forgejoPort;
+      ROOT_URL = "https://git.distrust.network/";
+      SSH_PORT = 292;
    };
-
-    caddy.virtualHosts."https://git.distrust.network ${onionUrl}".extraConfig = ''
-      reverse_proxy localhost:${toString forgejoPort}
-    '';
-
-    tor.relay.onionServices."forgejo".map = [
-      80
-    ];
  };
+
+  services.caddy.virtualHosts."https://git.distrust.network ${onionUrl}".extraConfig = ''
+    reverse_proxy localhost:${toString forgejoPort}
+  '';
+
+  services.tor.relay.onionServices."forgejo".map = [
+    80
+  ];
 }
--- a/services/mailserver.nix
+++ b/services/mailserver.nix
@ -1,15 +1,16 @@
-{config, ...}: {
+{ config, ... }:
+{
  mailserver = {
    enable = true;
    fqdn = "distrust.network";
-    domains = ["distrust.network"];
+    domains = [ "distrust.network" ];
    certificateScheme = "acme";
    ldap = {
      enable = true;
      bind.dn = "cn=bind,ou=people,dc=distrust,dc=network";
      bind.passwordFile = config.age.secrets."bind_pw".path;
      searchBase = "ou=people,dc=distrust,dc=network";
-      uris = ["ldap://localhost:3890"];
+      uris = [ "ldap://localhost:3890" ];
    };
  };
 }
--- a/services/nextcloud.nix
+++ b/services/nextcloud.nix
@ -8,97 +8,96 @@
 in {
  age.secrets."nextcloud-admin-pass".file = ../secrets/nextcloud-admin-pass;
  
-  users.groups.nextcloud.members = ["nextcloud" "caddy"];
-  services = {
-    nextcloud = {
-      enable = true;
-      hostName = "cloud.distrust.network";
-      settings = {
-        trusted_domains = ["znfdxs4e3rqvzxtkksiidomupgm2x44wtrzyxtpomczto3xg5qxpcbqd.onion"];
-        trusted_proxies = ["127.0.0.1"];
-        maintenance_window_start = 1;
-      };
-      config = {
-        adminpassFile = config.age.secrets."nextcloud-admin-pass".path;
-        dbtype = "pgsql";
-      };
-      package = pkgs.nextcloud32;
-      https = false;
-      configureRedis = true;
-      caching.redis = true;
-      database.createLocally = true;
-      phpOptions = {
-        "opcache.interned_strings_buffer" = 64;
-      };
+  services.nextcloud = {
+    enable = true;
+    hostName = "cloud.distrust.network";
+    settings = {
+      trusted_domains = ["znfdxs4e3rqvzxtkksiidomupgm2x44wtrzyxtpomczto3xg5qxpcbqd.onion"];
+      trusted_proxies = ["127.0.0.1"];
+      maintenance_window_start = 1;
    };
-
-    nginx.enable = lib.mkForce false;
-    phpfpm.pools.nextcloud.settings = {
-      "listen.owner" = "caddy";
-      "listen.group" = "caddy";
+    config = {
+      adminpassFile = config.age.secrets."nextcloud-admin-pass".path;
+      dbtype = "pgsql";
    };
-    caddy.virtualHosts."https://cloud.distrust.network ${onionUrl}".extraConfig = ''
-      # encode zstd gzip
-
-      root * ${config.services.nginx.virtualHosts."cloud.distrust.network".root}
-
-      redir /.well-known/carddav /remote.php/dav 301
-      redir /.well-known/caldav /remote.php/dav 301
-      redir /.well-known/* /index.php{uri} 301
-      redir /remote/* /remote.php{uri} 301
-
-
-      header {
-        Strict-Transport-Security max-age=31536000
-        Permissions-Policy interest-cohort=()
-        X-Content-Type-Options nosniff
-        X-Frame-Options SAMEORIGIN
-        Referrer-Policy no-referrer
-        X-XSS-Protection "1; mode=block"
-        X-Permitted-Cross-Domain-Policies none
-        X-Robots-Tag "noindex, nofollow"
-        -X-Powered-By
-        Host {host}
-        X-Real-IP {remote_host}
-        X-Forwarded-For {remote_host}
-        X-Forwarded-Proto {scheme}
-        X-Forwarded-Host {host}
-      }
-
-
-      php_fastcgi unix/${config.services.phpfpm.pools.nextcloud.socket} {
-        root ${config.services.nginx.virtualHosts."cloud.distrust.network".root}
-        env front_controller_active true
-        env modHeadersAvailable true
-      }
-
-      @forbidden {
-        path /build/* /tests/* /config/* /lib/* /3rdparty/* /templates/* /data/*
-        path /.* /autotest* /occ* /issue* /indie* /db_* /console*
-        not path /.well-known/*
-      }
-      error @forbidden 404
-
-      @immutable {
-        path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
-        query v=*
-      }
-      header @immutable Cache-Control "max-age=15778463, immutable"
-
-      @static {
-        path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
-        not query v=*
-      }
-      header @static Cache-Control "max-age=15778463"
-
-      @woff2 path *.woff2
-      header @woff2 Cache-Control "max-age=604800"
-
-      file_server
-    '';
-
-    tor.relay.onionServices."nextcloud".map = [
-      80
-    ];
+    package = pkgs.nextcloud32;
+    https = true;
+    configureRedis = true;
+    caching.redis = true;
+    database.createLocally = true;
  };
+
+  users.groups.nextcloud.members = [ "nextcloud" "caddy" ];
+  services.nginx.enable = lib.mkForce false;
+  services.phpfpm.pools.nextcloud.settings = {
+    "listen.owner" = "caddy";
+    "listen.group" = "caddy";
+  };
+  services.caddy.virtualHosts."https://cloud.distrust.network ${onionUrl}".extraConfig = ''
+    # encode zstd gzip
+    
+    root * ${config.services.nginx.virtualHosts."cloud.distrust.network".root}
+
+    redir /.well-known/carddav /remote.php/dav 301
+    redir /.well-known/caldav /remote.php/dav 301
+    redir /.well-known/* /index.php{uri} 301
+    redir /remote/* /remote.php{uri} 301
+
+
+    header {
+      Strict-Transport-Security max-age=31536000
+      Permissions-Policy interest-cohort=()
+      X-Content-Type-Options nosniff
+      X-Frame-Options SAMEORIGIN
+      Referrer-Policy no-referrer
+      X-XSS-Protection "1; mode=block"
+      X-Permitted-Cross-Domain-Policies none
+      X-Robots-Tag "noindex, nofollow"
+      -X-Powered-By
+      Host {host}
+      X-Real-IP {remote_host}
+      X-Forwarded-For {remote_host}
+      X-Forwarded-Proto {scheme}
+      X-Forwarded-Host {host}
+    }
+
+    
+    php_fastcgi unix/${config.services.phpfpm.pools.nextcloud.socket} {
+      root ${config.services.nginx.virtualHosts."cloud.distrust.network".root}
+      env front_controller_active true
+      env modHeadersAvailable true
+    }
+
+    @forbidden {
+      path /build/* /tests/* /config/* /lib/* /3rdparty/* /templates/* /data/*
+      path /.* /autotest* /occ* /issue* /indie* /db_* /console*
+      not path /.well-known/*
+    }
+    error @forbidden 404
+
+    @immutable {
+      path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
+      query v=*
+    }
+    header @immutable Cache-Control "max-age=15778463, immutable"
+
+    @static {
+      path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
+      not query v=*
+    }
+    header @static Cache-Control "max-age=15778463"
+
+    @woff2 path *.woff2
+    header @woff2 Cache-Control "max-age=604800"
+
+    file_server
+  '';
+
+  services.nextcloud.phpOptions = {
+    "opcache.interned_strings_buffer" = 64;
+  };
+
+  services.tor.relay.onionServices."nextcloud".map = [
+    80
+  ];
 }
--- a/services/prosody.nix
+++ b/services/prosody.nix
@ -1,50 +1,36 @@
 {
  pkgs,
+  lib,
  config,
  ...
 }: {
  age.secrets."bind_pw".file = ../secrets/bind_pw;

-  services = {
-    prosody = {
-      package = pkgs.prosody.override {
-        withExtraLuaPackages = pkgs: with pkgs.luaPackages; [lualdap];
-      };
-      enable = true;
-      admins = ["root@distrust.network"];
+  services.prosody = {
+    package = pkgs.prosody.override {
+      withExtraLuaPackages = pkgs: with pkgs.luaPackages; [lualdap];
+    };
+    enable = true;
+    admins = ["root@distrust.network"];
+    ssl.cert = "/var/lib/acme/distrust.network/fullchain.pem";
+    ssl.key = "/var/lib/acme/distrust.network/key.pem";
+    virtualHosts."distrust.network" = {
+      enabled = true;
+      domain = "distrust.network";
      ssl.cert = "/var/lib/acme/distrust.network/fullchain.pem";
      ssl.key = "/var/lib/acme/distrust.network/key.pem";
-      virtualHosts."distrust.network" = {
-        enabled = true;
-        domain = "distrust.network";
-        ssl.cert = "/var/lib/acme/distrust.network/fullchain.pem";
-        ssl.key = "/var/lib/acme/distrust.network/key.pem";
-      };
-      muc = [{domain = "conference.distrust.network";}];
-      httpFileShare = {
-        domain = "upload.distrust.network";
-        path = "/var/lib/prosody";
-      };
-      extraConfig = ''
-        authentication = "ldap"
-        ldap_base = "ou=people,dc=distrust,dc=network"
-        ldap_server = "localhost:3890"
-        ldap_rootdn = "uid=bind,ou=people,dc=distrust,dc=network"
-        ldap_password = "${builtins.readFile config.age.secrets."bind_pw".path}"
-      '';
    };
-    caddy.virtualHosts."distrust.network".extraConfig = ''
-      handle /.well-known/* {
-        root * /var/lib/acme/
-        file_server
-      }
-    '';
-
-    caddy.virtualHosts."conference.distrust.network upload.distrust.network".extraConfig = ''
-      handle /.well-known/* {
-        root * /var/lib/acme/
-        file_server
-      }
+    muc = [{domain = "conference.distrust.network";}];
+    httpFileShare = {
+      domain = "upload.distrust.network";
+      path = "/var/lib/prosody";
+    };
+    extraConfig = ''
+      authentication = "ldap"
+      ldap_base = "ou=people,dc=distrust,dc=network"
+      ldap_server = "localhost:3890"
+      ldap_rootdn = "uid=bind,ou=people,dc=distrust,dc=network"
+      ldap_password = "${builtins.readFile config.age.secrets."bind_pw".path}"
    '';
  };

@ -77,4 +63,18 @@
    #  after = [ "acme-order-renew-chat.distrust.network.service" ];
    serviceConfig.SupplementaryGroups = ["acme"];
  };
+
+  services.caddy.virtualHosts."distrust.network".extraConfig = ''
+    handle /.well-known/* {
+      root * /var/lib/acme/
+      file_server
+    }
+  '';
+
+  services.caddy.virtualHosts."conference.distrust.network upload.distrust.network".extraConfig = ''
+    handle /.well-known/* {
+      root * /var/lib/acme/
+      file_server
+    }
+  '';
 }
--- a/services/site.nix
+++ b/services/site.nix
@ -1,4 +1,9 @@
-let
+{
+  pkgs,
+  lib,
+  ...
+}: let
+  sitePort = 8080;
  onionUrl = "http://nzmkihvxjazbb3fgu7drbklpt6ibg4suff4glxpadhrd4pf5wd2od5yd.onion";
 in {
  services.caddy.virtualHosts = {
--- a/services/vaultwarden.nix
+++ b/services/vaultwarden.nix
@ -1,25 +1,25 @@
-{config, ...}: let
+{ config, ... }:
+let 
  vaultPort = 8222;
  onionUrl = "http://gfoqwlo4nmhcywzzyhfanhkf7hz64lkjayngfyrpbd7ohaucu3q4znqd.onion";
-in {
+in
+{
  age.secrets."vaultwarden.env".file = ../secrets/vaultwarden.env;
 
-  services = {
-    vaultwarden = {
-      enable = true;
-      config = {
-        DOMAIN = "https://vault.distrust.network";
-        ROCKET_PORT = vaultPort;
-      };
-      environmentFile = config.age.secrets."vaultwarden.env".path;
+  services.vaultwarden = {
+    enable = true;
+    config = {
+      DOMAIN = "https://vault.distrust.network";
+      ROCKET_PORT = vaultPort;
    };
-
-    caddy.virtualHosts."https://vault.distrust.network ${onionUrl}".extraConfig = ''
-      reverse_proxy localhost:${toString vaultPort}
-    '';
-
-    tor.relay.onionServices."vaultwarden".map = [
-      80
-    ];
+    environmentFile = config.age.secrets."vaultwarden.env".path;
  };
+
+  services.caddy.virtualHosts."https://vault.distrust.network ${onionUrl}".extraConfig = ''
+    reverse_proxy localhost:${toString vaultPort}
+  '';
+
+  services.tor.relay.onionServices."vaultwarden".map = [
+    80
+  ];
 }
--- a/site/index.html
+++ b/site/index.html
@ -55,7 +55,7 @@
 	    <li>Vaultwarden <small><a href="http://gfoqwlo4nmhcywzzyhfanhkf7hz64lkjayngfyrpbd7ohaucu3q4znqd.onion/">[tor]</a> <a href="https://vault.distrust.network">[clearnet]</a> <a title="Once you have logged in for the first time, check your inbox.">[hover]</a></small></li>
        </ul>
        <p>All services have a strict no-logs and no-metrics policy. Where it is difficult to configure this in a service, logs are directly piped and/or symlinked to <code>/dev/null</code>.</p>
-	<p>The server runs a hardened NixOS config, and is updated when appropriate for any security/hardening tweaks. This NixOS config is auditable and freely accessible over <a href="http://cr27k6asjs7skvjxs6smhqfam3wlvmft2f3iins44k6p6rmmfyolobqd.onion/root/flake">TOR</a> and <a href="https://git.distrust.network/root/flake">clearnet</a>.</p>
+        <p>The server runs a hardened NixOS config, and is updated when appropriate for any security/hardening tweaks.</p>
        <p>If you are interested, <a href="mailto:root@distrust.network?subject=ACCOUNT%20REQUEST&body=Replace%20this%20email%20body%20with%20your%20desired%20username.">email me</a> with your desired username.</p>
        <hr>
        <a href="mailto:root@distrust.network?subject=INQUIRY">Contact</a><a href="/privacy-policy.html" class="privacy-policy">Privacy Policy</a>
--- a/system/configuration.nix
+++ b/system/configuration.nix
@ -1,10 +1,11 @@
-{pkgs, ...}: let
-  updateScript = pkgs.writeShellScriptBin "rebuild" ''
-    #!/bin/sh
-    nixos-rebuild switch --flake /etc/nixos#distrust --impure
-  '';
-in {
-  environment.systemPackages = with pkgs; [vim btop git alejandra statix deadnix] ++ [updateScript];
+{pkgs, ...}:
+let updateScript = pkgs.writeShellScriptBin "rebuild" ''
+  #!/bin/sh
+  nixos-rebuild switch --flake /etc/nixos#distrust --impure
+'';
+in
+{
+  environment.systemPackages = with pkgs; [vim btop git alejandra statix deadnix] ++ [ updateScript ];

  nix.settings.experimental-features = ["nix-command" "flakes"];

@ -12,18 +13,16 @@ in {
  zramSwap.enable = true;
  networking.hostName = "distrust";

-  services = {
-    openssh = {
-      enable = true;
-      settings.PermitRootLogin = "yes";
-      ports = [292];
-    };
-    fail2ban.enable = true;
-    endlessh = {
-      enable = true;
-      port = 22;
-      openFirewall = true;
-    };
+  services.openssh = {
+    enable = true;
+    settings.PermitRootLogin = "yes";
+    ports = [292];
+  };
+  services.fail2ban.enable = true;
+  services.endlessh = {
+    enable = true;
+    port = 22;
+    openFirewall = true;
  };

  users.users.root.openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHxah5pnxmk=P7HtwRsryDoAHZsDs5RcGP9IPCNg1KFe cardno;16-179-196"];
--- a/system/default.nix
+++ b/system/default.nix
@ -3,5 +3,6 @@
    ./configuration.nix
    ./hardware-configuration.nix
    ./networking.nix
+    <nixpkgs/nixos/modules/profiles/hardened.nix>
  ];
 }
--- a/system/hardware-configuration.nix
+++ b/system/hardware-configuration.nix
@ -1,12 +1,8 @@
 {modulesPath, ...}: {
  imports = [(modulesPath + "/profiles/qemu-guest.nix")];
-  boot = {
-    loader.grub.device = "/dev/sda";
-    initrd = {
-      availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi"];
-      kernelModules = ["nvme"];
-    };
-  };
+  boot.loader.grub.device = "/dev/sda";
+  boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi"];
+  boot.initrd.kernelModules = ["nvme"];
  fileSystems."/" = {
    device = "/dev/sda1";
    fsType = "ext4";